wannacry | 0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64

General

Target

0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64.dll
Size

5.0MB
MD5

d97b7a813774ee9af6db3775421617ce
SHA1

b4d43253fae1ef62564d86f40f973dc0c5a3bad2
SHA256

0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64
SHA512

41b47db3c74d6e27e7f006fbbd8d2da4cd438eba213dea693c9700e4c5bf5337229a88b7c662b196e401c6768bceb32c825880070b244caf81e330c2cf529fff

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

344 mssecsvc.exe
1500 mssecsvc.exe
1548 tasksche.exe

pid	process
344	mssecsvc.exe
1500	mssecsvc.exe
1548	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1660 wrote to memory of 1212	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1212	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1212	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1212	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1212	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1212	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1212	1660	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 344	1212	rundll32.exe	mssecsvc.exe
PID 1212 wrote to memory of 344	1212	rundll32.exe	mssecsvc.exe
PID 1212 wrote to memory of 344	1212	rundll32.exe	mssecsvc.exe
PID 1212 wrote to memory of 344	1212	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1212

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:344

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1548

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
MD5
3dc9f5d4ffa955356c9900be04a738c6

SHA1
b7667de0206c30782d9ac2cfc0840f020c0c159f

SHA256
83ba8ba05dabf9080b9efbdf7101a39ccdb47023d7a7aa81303d36b66fffe4f2

SHA512
2f41f65186be9cb87350deca362843170617c8a46bc0074902cfc176c18150e85fead947164ae181f6757fd6b405004b3792135d674794c5803d9ed787085341

Download Submit
C:\Windows\mssecsvc.exe
MD5
3dc9f5d4ffa955356c9900be04a738c6

SHA1
b7667de0206c30782d9ac2cfc0840f020c0c159f

SHA256
83ba8ba05dabf9080b9efbdf7101a39ccdb47023d7a7aa81303d36b66fffe4f2

SHA512
2f41f65186be9cb87350deca362843170617c8a46bc0074902cfc176c18150e85fead947164ae181f6757fd6b405004b3792135d674794c5803d9ed787085341

Download Submit
C:\Windows\mssecsvc.exe
MD5
3dc9f5d4ffa955356c9900be04a738c6

SHA1
b7667de0206c30782d9ac2cfc0840f020c0c159f

SHA256
83ba8ba05dabf9080b9efbdf7101a39ccdb47023d7a7aa81303d36b66fffe4f2

SHA512
2f41f65186be9cb87350deca362843170617c8a46bc0074902cfc176c18150e85fead947164ae181f6757fd6b405004b3792135d674794c5803d9ed787085341

Download Submit
C:\Windows\tasksche.exe
MD5
ff4e3b19f6b2c58837ec62e97834b422

SHA1
4508fd9909f6bee22abde660c94f1a869749aaf9

SHA256
4141794ed3928905ce959c30b2c5cc84ee6bebf3a81fc4c7c2624348786776be

SHA512
86c3d9e731bf51edee3275c99ca05df3b6b2fc8350644804303a265c3c82feb6c9ffe061706a15afc626196b7d3fdca427ac43be8532eddbd7d42a9edf943d1f

Download Submit
memory/344-62-0x0000000000000000-mapping.dmp

Download
memory/1212-60-0x0000000000000000-mapping.dmp

Download
memory/1212-61-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads